Ransomware and Bitcoin Enter New Phase

The phenomenal appreciation in Bitcoin’s value against the dollar, up roughly 18x in 2017 and 4x since September, gives us pause to consider – from a security perspective – what this might mean for ransomware in the near and distant future.

Ransomware and Bitcoin Codependency

It is not an exaggeration to say that without each other, ransomware and Bitcoin might not exist at all. I think it’s largely understood that the rise of a virtual, anonymized and easy-to-use payment system was a key factor in making ransomware the phenomenon it is today.

I believe the fundamental importance of ransomware to the development of Bitcoin is slightly less obvious to some. A back-of-the-envelope calculation based on ransomware payment estimates and data from Bitcoin.com suggests that ransomware payments accounted for as much as 20 percent of the Bitcoin “money supply” in 2016 and through the beginning of 2017y, until the recent run-up. One-fifth is a market-moving part of any currency’s float.

Is Ransomware Still Pressuring Bitcoin Prices?

The most obvious explanations for the current run-up in Bitcoin are a) it’s a tulip craze or b) Bitcoin has crossed some credibility barrier and entered the mainstream. But we shouldn’t count out the ransomware float’s possible continuing contribution.

Arguing in favor of the idea that Bitcoin was mid-wifed by ransomware, but has now crossed some hockey stick threshold into legitimacy, and is no longer particularly dependent on the ransomware economy, we see that major retailers like Overstock, Virgin Galactic, PayPal, eBay, and Expedia have begun to accept Bitcoin as payment. A Bitcoin futures market has been announced. Bitcoin ATMs began appearing in major cities in 2014 and are now entering smaller markets, appearing in convenience stores and pubs around the globe. You can even donate in Bitcoin to organizations such as The Water Project and Save the Children.

The “tulip craze/Ponzi scheme” argument also has many adherents who voice the certainty (this author included) that this is a bubble being driven by speculators, which must burst some day. Admittedly, the long-term viability of Bitcoin is a complex question to ponder, being equal parts mass psychology, macroeconomics and technical evaluation. The scenario of a Bitcoin meltdown is enhanced by pointing out that there are other cryptocurrencies available, like Ethereum, Bitcoin Cash, Ripple, and Litecoin among hundreds, ready to fill the void, without getting into the idea that governmental monetary authorities might get into the act themselves – or interfere.

Ransomware Rainy-Day Funds

However, there is still an argument to be made that ransomware-related Bitcoin purchases by businesses might still be contributing to the “tightness” of the Bitcoin money supply, and helping feed the upward spiral. After all, ransomware gives no indication of abating, WannaCry seemed to popularize the corporate fear of ransomware in a way billions of Locky emails never quite did, and three large public companies (Maersk, Merck and FedEx subsidiary TNT) recently disclosed ransomware-related losses in the range of $200-$300 million dollars in their Q3 earnings reports.

First noted in research a year ago, we see new reports that corporations have accelerated stockpiling Bitcoin, to have it on hand for eventual quick payment in case of a ransomware breach. A survey by OnePoll says the propensity of businesses to stockpile Bitcoin is up 4x from a year ago, and we imagine that as the price accelerates, a certain panic to acquire one’s own ransomware payment slush fund might set in.

But will Bitcoin appreciation push ransomware away?

Whatever the reason, for cybercriminals, the recent run-up means the use of Bitcoin certainly presents a pricing or at least an administrative problem, where the price expressed in Bitcoin has to be managed downward, and quickly (like every day). It’s sort of the reverse problem of living in an economy suffering 1000% inflation. Charging (as a typical example) 0.2 Bitcoin ransom for a decryption key meant the victim paid $200 a year ago, and $1,000 just this September – today it means $3,800. Any decision to pay or not pay requires weighing and measuring the costs and benefits of the two alternatives, and what seemed expedient at $200 may not seem like a good idea at $3,800.

Ransomware or currency speculation – which business?

It’s probably neither here nor there, but we are also confronted with the idea that people with substantial Bitcoin holdings are now rolling in it. The popular press may be writing about the Winkelvoss twins’ new billions, and one virtual currency hedge fund has just sent a letter around to investors announcing returns since 2013 of 25,000 percent, but malware authors (and other criminal organizations) whose holdings were substantially in Bitcoin are equally seeing their ill-gotten gains multiply. For criminals holding Bitcoin wallets from earlier ransomware attacks, a wallet with 98 bitcoins worth $400K in September (an actual example) is now worth approximately $1.8 million, and the value is up 20x from last January.

I doubt that this new abundance of financial resources will change behavior, but one must consider that the wherewithal of many bad actors has just been substantially enhanced. It seems unlikely they’ll retire to Tahiti any time soon.

Sigurdur “Siggi” Stefnisson is vice president of threat detection at Cyren, an Internet Security as a Service provider that protects users against cyberattacks and data breaches through cloud-based web security, email security, DNS security and sandboxing solutions.